TOTP tokens can absolutely be intercepted. A MITM attack can work like this:
1) User inputs username and pw into spurious site.
2) Spurious site prompts for the user's TOTP token.
3) Spurious site proceeds to immediately log in to the real site w/ username, pw, and valid TOTP token.
4) Bad guys get an HTTP session cookie which for many sites lasts practically indefinitely.
